W

While companies today want to collaborate throughout their organization and work closely with business partners, they might need to limit access to documents in a collection to meet security, privacy, and quality control requirements. Access control is a fundamental component to help protect confidential information and minimize risk to your business or organization, according to this TechTarget article. In this blog, we go over the details of the User Access Control feature and how to set up who can view or modify data at the document-level and collection-level.

There are multiple ways admins can apply User Access Control attributes to their Macrometa Global Data Network (GDN) user accounts and API keys. These attributes can ‌limit access to documents at run time in Query Workers by applying the four following options.

Use document-level access control to:

  • Manage who can view documents.
  • Determine who can modify documents.

Use collection-level access control to:

  • Manage who has access to collections.
  • Govern access by both users and API keys.

Document-level and collection-level access control with attributes

Let's use an example to illustrate how you can use attributes to implement document-level access control and collection-level access control. We have a fulfillment company that is made up of partners and employees. Partners have items they want the fulfillment company to fill, and the employees fulfill the orders of their partner's items.

For these examples, we have three collections:

  • Items: The items that the partners want the fulfillment company to ship.
  • Orders: The orders that the fulfillment company has to fill. 
  • Employees: List of all the fulfillment employees.

And the fulfillment company wants to provide some queries that their partners and employees can use:

  • Partners can only see their items, but can't update them.
  • Partners can see their orders and update orders when filled.
  • Partners can’t see employees.
  • Store employees can see all items and orders, but can’t update them.

Every partner has a unique API key. This key is used to authenticate them and restrict access to their information. Employees use their credentials for authentication and access control.

Let's add some data to the collections:

Partner #1: ACME Company -- API Key: acme_key.897b6e...

Partner #2: General Hardware Store - API Key: generalhw.28bc97…

Each API Key is being assigned a partner attribute:

We have three employees, one is an admin.

We have the employees collection:

We have several hardware items in our items collection:

And finally, we have two orders in our orders collection:

Query Worker examples

In this section, we are creating four Query Workers to implement the queries mentioned above.

Partners can only see their items, but can't update them

Query Name: PartnerItems

When we execute this Query Worker, we only see items for this partner:

Query Result:

This shows how document-level access control is used to control who can view documents.

Partners can see their orders and update orders when filled

Query Name: PartnerOrders

Query Name: PartnerOrdersUpdate

Executing the PartnerOrders query only returns the orders for that partner:

Query Result:

And updating an ACME order:

Query Result:

Now updating another partner order (Customer 2):

Query Result:

This does not update any orders and shows how document-level access control can ‌control who can change documents.

Partners can not see employees

Query Name: Employees

Query Result:

And here partners cannot view employee data. This shows how collection-level access control can ‌control who has access to collections.

Store employees can see all items and orders, but cannot update them

We are enhancing our previous PartnerOrders and PartnerOrdersUpdate Query Worker to accommodate employees. We want all valid partners and employees to ‌view orders and all valid partners and employees who are admins to update orders.

Query Name: ViewOrders

Query Name: OrdersUpdate

Executing the ViewOrders query by a partner returns the orders for that partner:

Query Result:

And executing the ViewOrders by an employee returns all orders:

Query Result:

A valid partner can update an ACME order:

Updates the order:

An employee admin can also update an ACME order:

Updates the order:

This shows how document-level access control can be controlled by API key attributes and user attributes at the same time.

Next steps

User and API attributes are powerful tools to help with access control decisions on queries. Whether you are trying to limit documents or collections – or limit the viewing or modification of data – user and API attributes can address your requirements. After viewing these examples, you can quickly get started and apply attributes within your own GDN — based on your access control requirements. If you are new to Macrometa and would like to try out User Access Control or other features, sign up for a forever free dev account and see everything you can do in one platform.

Photo by Phil on Unsplash

Posted 
Jun 10, 2022
 in 
Tutorial
 category

More from 

Tutorial

 category

View All

Join Our Newsletter and Get the Latest
Posts to Your Inbox